SANS Digital Forensics and Incident Response Blog

I was reading a great article the other day in the latest Communications of the ACM [1] (membership required) which had an insert titled Computer Science as a Science that discussed the merits of the profession as a bona fide science. Reading it, I could not help but to think: what about digital forensics? I'd not once questioned the notion in the past. The similarities to classic forensics, already widely accepted to be a true science, provided transitive reason for me to consider digital forensics a science as well. Thinking more critically about the question, however, I am not so sure. In fact, I would posit that digital forensics is not in fact a science. This distinction may seem academic, but as we will see, it is in fact an important acknowledgment that may facilitate the advancement of the profession and state of the art.

What is a science?

Whether or not a body of knowledge is considered a "science" largely seems to depend on whether one interprets science as a study of natural processes [2]. While restrictive, I feel this limitation can be useful in our field. To this end, a science must satisfy the following 6 criteria [1]:

Is an organized body of knowledge

Provides reproducible results

Provides established experimental methods

Enables predictions

Offers hypotheses which can be disproven

Deals with natural objects

Digital forensics is a very young field, but one can see maturation to the point where items 1-5, if not fully met today, may be in the near future once our field is more organized (achieving some may be quite difficult). Item 6 is one that may never be satisfied. Contrary to computer science, which has likewise been debated on this sixth point, digital forensics does not mimic natural processes on its own. While some may take offense to this point, I feel it should be embraced as quite empowering.

Where does forensics fall?

One can see how more established forensics studies easily meet these 6 criteria. However, with a noble title like "science" comes challenges that simply do not exist for digital forensics. The axioms upon which the body of knowledge of classic forensics rests are immutable, empirically-discovered properties of nature. This means any shortcoming in the goal of discovering "what happened" that has its basis within these axioms is a caveat that cannot be reversed or amended; it must simply be acknowledged.

By comparison, digital forensics rests on axioms defined by man - how machines operate and are used is fundamentally an artificial creation. This is at the same time both profoundly enabling and terribly challenging. The temporal nature of the machines and processes we study means drawing one consistent conclusion under certain circumstances is in and of itself a moving target. It requires vigorous study of the state of the art, and lends itself to mistakes based on dated knowledge as the fundamental properties of our systems are in flux. However, providing more than a silver lining, and the reason I find it convenient (as well as academically defensible) that digital forensics is not a science is the ability for us to modify and affect these axioms. This is never possible in any natural science - we can't modify the DNA or fingerprints to make them more easily distinguishable from one another, for example.

Science as an Inhibitor

The molar weight of an element, the magnetic polarity of a molecule, the universal gravitational constant, ideal gas law, these are all things that will never change in the universe in which we exist - even if our understanding of them evolves over time. But the changes on a system that occur when code is executed, the layout of a process in memory, all of these processes we rely on in digital forensics, are temporal. This enables us to provide feedback into the creators of these systems to improve the processes in ways that are favorable to our field. We have already seen great mindset changes amongst software developers relating to control access on systems because of pressure by consumers for greater security. Similarly, we have in theory the ability to affect change on systems in ways that will make digital investigations more favorable to the investigator. Such mechanisms and feedback loops already take place - take logging, for instance. However, we can certainly do better. Also in our favor as purveyors of a field of study not based in nature, is access to the base properties of the systems. We do not have to discover empirically how a filesystem or file is laid out on disk (although in some cases *cough*Microsoft*cough* we are left to do so), we have access to the schematics and can know by deductive reasoning, a much more powerful and final type of knowledge than empiricism IMO - with sincere apologies to Immanuel Kant of course.

If you're still reading and haven't been completely turned off by my philosophical drain-swirling 'round epistemology, I thank you. I do feel acknowledgment of the nature of our field (pun intended) is important in its early years, so we fully understand and embrace just how far we can take our study. I challenge all of you in this profession to leverage this powerful feedback loop and consider how lessons learned in digital forensic investigations can be fed back into software development, facilitating our goals of reproducing the past.

Is digital forensics a science? Reasonable nerds may disagree, but I say "no."

References

Michael is a senior member of Lockheed Martin's Computer Incident Response Team. He has lectured for various audiences from IEEE to DC3, and teaches an introductory class on cryptography. His current work consists of security intelligence analysis and development of new tools and techniques for incident response. Michael holds a BS in computer engineering and has earned GCIA (#592) and GCFA (#711) gold certifications alongside various others.

2 Comments

Anton Chuvakin

Is digital forensics a science? Reasonable nerds may disagree, but I say "no.""Agreed for today. Here is another useful question (a set)1. CAN it be? (ever? when?)2. SHOULD it be?3. What will happen to court process if dig forensics will NEVER become science?

craigswright

Actually, the weights of elements are changing (they become more and more accurate over time). It is just that the differences in the change are not significant to the average individual.I would say that digital forensics is a science for some, and art for most.I am working on creating CFGs (context free grammars) for malware and modeling drive read/write properties both of which will be published (likely next year). The former is basic computer science and the later is a combination of materials science and magnetic particle physics. Each are a science.A lack of knowledge is not what makes a science, the process used to find and add knowledge is.In my case, I run tests and record results such that I can report a confidence interval with a level of certainty. The difference is that most people in the field are craftsmen or even in some cases engineers and only a few people are scientists. This is not a problem per see. Most people care about the implementation more than the theory. So, it is a science, just their are few scientists in the field.

"A great course on timeline, registry, and restore point forensics. SANS is continuing to be the leader on teaching new techniques happening with forensics."- Brad Garnett, Gibson County Sherrif's Dept.